This document discusses classifying viruses through recursion theorems. It proposes defining four classes of viruses based on different versions of Kleene's second recursion theorem. Blueprint viruses simply duplicate their code, evolving blueprint viruses can mutate on duplication. Smith viruses can use their propagation function directly, and Smith distribution viruses can mutate both their code and propagation function. The document shows each virus category is linked to a form of the recursion theorem, providing a taxonomy of viruses based on these theorems. It introduces a simple programming language to illustrate constructing the different virus types.
Functions allow programmers to organize and reuse code. There are three types of functions: built-in functions, modules, and user-defined functions. User-defined functions are created using the def keyword and can take parameters and arguments. Functions can return values and have different scopes depending on if a variable is local or global. Recursion is when a function calls itself, and is useful for breaking down complex problems into simpler sub-problems. Common recursive functions calculate factorials, Fibonacci numbers, and generate the Pascal's triangle.
A method to detect metamorphic computer virusesUltraUploader
The document discusses a graduation ceremony held by the Center for Advanced Computer Studies (CACS) at the University of Louisiana at Lafayette. It describes events that took place at the ceremony, including awarding prizes to students for a paper contest, guest speakers from local businesses, and music performances. It also previews selected articles from the student papers that will be featured in the newsletter.
An approach towards disassembly of malicious binary executablesUltraUploader
The thesis presents a novel segmentation-based approach for disassembling malicious and obfuscated binary executables. The segmentation algorithm examines each byte of the program independently to identify code segments without relying on control flow or entry point information. This makes the approach robust against common obfuscations. The segments are then chained and pruned to remove false positives and produce a disassembly. The technique is evaluated on clean, malicious, and non-executable files to demonstrate its effectiveness in dealing with obfuscated code.
This summary provides the key details about a generic virus scanner in C++ described in the document:
The document describes a generic virus scanner implemented in C++ that can scan files for viruses across different file systems, file types, and operating systems. It defines an abstract class called VirInfo that encapsulates common virus features, and subclasses can be used to define viruses that infect different systems. The scanner's general design allows it to potentially scan for other types of threats beyond just viruses. Signature scanning is identified as the most common and effective method for detecting known viruses described in the document.
A hybrid model to detect malicious executablesUltraUploader
This document presents a hybrid model for detecting malicious executables that uses three types of features: binary n-grams extracted from executable files, assembly n-grams extracted from disassembled executables, and DLL function calls extracted from program headers. A classifier like SVM is trained on the combined "hybrid feature set" to distinguish between benign and malicious executables. The model achieves high detection accuracy and low false positive rates compared to other feature-based approaches.
A fast static analysis approach to detect exploit code inside network flowsUltraUploader
This document proposes a static analysis approach to detect exploit code within network flows. It aims to distinguish between data and executable code by looking for evidence of meaningful data and control flow patterns within binary code fragments recovered through disassembly, without knowing the exact location of the code. The approach is evaluated on real network trace data and is shown to detect a variety of exploit code, including polymorphic and metamorphic variants. It also automatically generates precise signatures to complement signature-based detection systems.
The document describes the JJEncode JavaScript encoding method that produces files containing only symbol characters like '$','_','+'. It works by first initializing a variable $ to -1 and then creating an object with properties assigned characters from strings. This object is then used to concatenate characters into strings that are assigned to additional properties, including 'constructor'. Finally, the code evaluates (0)['constructor']['constructor'] which calls the constructor function to decode and run the encoded payload. The encoding avoids alphanumeric characters to evade detection but is still possible to analyze how it works.
A public health approach to preventing malware propagationUltraUploader
This document is a thesis submitted by Kim Zelonis to the Heinz School of Carnegie Mellon University in partial fulfillment of a Master's degree in Information Security and Policy Management. The thesis proposes applying a public health approach used to prevent the spread of diseases like HIV/AIDS to the problem of preventing the spread of malware. It argues that current technological solutions alone are not enough, and that human behaviors which enable the spread of malware need to be addressed through interventions like education campaigns, just as public health has addressed behaviors related to HIV/AIDS. The thesis provides background on the malware problem and its similarities to disease epidemics, compares the histories and spreads of malware and HIV/AIDS, analyzes specific public health interventions for HIV
Functions allow programmers to organize and reuse code. There are three types of functions: built-in functions, modules, and user-defined functions. User-defined functions are created using the def keyword and can take parameters and arguments. Functions can return values and have different scopes depending on if a variable is local or global. Recursion is when a function calls itself, and is useful for breaking down complex problems into simpler sub-problems. Common recursive functions calculate factorials, Fibonacci numbers, and generate the Pascal's triangle.
A method to detect metamorphic computer virusesUltraUploader
The document discusses a graduation ceremony held by the Center for Advanced Computer Studies (CACS) at the University of Louisiana at Lafayette. It describes events that took place at the ceremony, including awarding prizes to students for a paper contest, guest speakers from local businesses, and music performances. It also previews selected articles from the student papers that will be featured in the newsletter.
An approach towards disassembly of malicious binary executablesUltraUploader
The thesis presents a novel segmentation-based approach for disassembling malicious and obfuscated binary executables. The segmentation algorithm examines each byte of the program independently to identify code segments without relying on control flow or entry point information. This makes the approach robust against common obfuscations. The segments are then chained and pruned to remove false positives and produce a disassembly. The technique is evaluated on clean, malicious, and non-executable files to demonstrate its effectiveness in dealing with obfuscated code.
This summary provides the key details about a generic virus scanner in C++ described in the document:
The document describes a generic virus scanner implemented in C++ that can scan files for viruses across different file systems, file types, and operating systems. It defines an abstract class called VirInfo that encapsulates common virus features, and subclasses can be used to define viruses that infect different systems. The scanner's general design allows it to potentially scan for other types of threats beyond just viruses. Signature scanning is identified as the most common and effective method for detecting known viruses described in the document.
A hybrid model to detect malicious executablesUltraUploader
This document presents a hybrid model for detecting malicious executables that uses three types of features: binary n-grams extracted from executable files, assembly n-grams extracted from disassembled executables, and DLL function calls extracted from program headers. A classifier like SVM is trained on the combined "hybrid feature set" to distinguish between benign and malicious executables. The model achieves high detection accuracy and low false positive rates compared to other feature-based approaches.
A fast static analysis approach to detect exploit code inside network flowsUltraUploader
This document proposes a static analysis approach to detect exploit code within network flows. It aims to distinguish between data and executable code by looking for evidence of meaningful data and control flow patterns within binary code fragments recovered through disassembly, without knowing the exact location of the code. The approach is evaluated on real network trace data and is shown to detect a variety of exploit code, including polymorphic and metamorphic variants. It also automatically generates precise signatures to complement signature-based detection systems.
The document describes the JJEncode JavaScript encoding method that produces files containing only symbol characters like '$','_','+'. It works by first initializing a variable $ to -1 and then creating an object with properties assigned characters from strings. This object is then used to concatenate characters into strings that are assigned to additional properties, including 'constructor'. Finally, the code evaluates (0)['constructor']['constructor'] which calls the constructor function to decode and run the encoded payload. The encoding avoids alphanumeric characters to evade detection but is still possible to analyze how it works.
A public health approach to preventing malware propagationUltraUploader
This document is a thesis submitted by Kim Zelonis to the Heinz School of Carnegie Mellon University in partial fulfillment of a Master's degree in Information Security and Policy Management. The thesis proposes applying a public health approach used to prevent the spread of diseases like HIV/AIDS to the problem of preventing the spread of malware. It argues that current technological solutions alone are not enough, and that human behaviors which enable the spread of malware need to be addressed through interventions like education campaigns, just as public health has addressed behaviors related to HIV/AIDS. The thesis provides background on the malware problem and its similarities to disease epidemics, compares the histories and spreads of malware and HIV/AIDS, analyzes specific public health interventions for HIV
A cooperative immunization system for an untrusting internetUltraUploader
This document proposes a cooperative immunization system where nodes work together to defend against computer viruses and worms. It presents an algorithm called COVERAGE that has nodes share information about observed infection rates. Based on this shared information, each node probabilistically determines which viruses to respond to. Simulations show COVERAGE is more effective against viruses and more robust against malicious participants compared to existing approaches.
A method for detecting obfuscated calls in malicious binariesUltraUploader
This document presents a method to detect obfuscated calls in malicious binaries through static analysis. It uses abstract interpretation to model the stack and represents all potential abstract stacks as an abstract stack graph. Violations in the normal call-ret convention can be detected from this graph. The method is implemented in a prototype tool called DOC that detects eight types of obfuscations. It aims to improve malware analysis by removing common obfuscation techniques, but does not claim to detect all obfuscations as the problem is undecidable.
A note on cohen's formal model for computer virusesUltraUploader
The document discusses refinements to Fred Cohen's formal model of computer viruses using Turing machines. The authors propose using a universal Turing machine (UTM) as the model of a computer, with viruses defined as descriptions of Turing machines that cause other descriptions to be written to the UTM's tape. This increases clarity by providing counterparts for programs and operating systems. The authors also suggest viruses could modify existing program descriptions on the tape rather than just writing new ones. Under this modified model, computer viruses still have the full computational power of Turing machines and whether a string is a virus remains undecidable.
This document provides an introduction to computer viruses, including what they are, how they spread, and how to protect against them. It defines viruses and explains that they are programs that can damage computers. Viruses typically spread by opening infected files or sharing media. To protect against viruses, the document recommends installing anti-virus software and keeping it updated, being cautious of files from unknown sources, and regularly scanning your computer. It also provides information on free anti-virus software available through the university and instructions for what to do if your computer becomes infected.
1) The document provides an overview of a framework for deception that was developed to better understand and analyze deceptions.
2) The framework models deceptions involving individuals, computers, networks, and organizations. It was used to model select deceptions and assist in developing new ones.
3) Further work is needed to systematize the creation of defensive deceptions, including expanding the collection of deception materials, creating a database to support deception analysis and creation, and maintaining a team of experts to implement specific deceptions.
A plague of viruses biological, computer and marketingUltraUploader
1) The document analyzes how biological, computer, and marketing viruses spread through networks in similar ways.
2) It distinguishes between densely knit networks that promote quick virus spread within the group, and ramified networks that allow viruses to spread more widely between groups.
3) Biological, computer, and marketing viruses all spread rapidly in densely knit networks due to frequent contact and overlap between group members, increasing chances of exposure and re-exposure to viruses.
Bot software spreads, causes new worriesUltraUploader
Bot software infects millions of computers worldwide without the owners' knowledge and turns them into zombies that perform malicious tasks as part of a bot network. These bot networks, which can include thousands of infected computers, are used to spread viruses and worms, send spam emails, install spyware, and launch denial-of-service attacks. While initially just an automated way to spread malware, bot networks are now also used for criminal activities like identity theft due to their ability to stealthily command a large number of compromised computers. Security experts warn that the proliferation of bot networks poses serious risks and is very difficult to stop given their automation and scale.
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
A formal definition of computer worms and some related resultsUltraUploader
This document proposes a formal definition of computer worms and discusses their properties. It begins by reviewing existing formal definitions of computer viruses and their key properties. It then defines worms as a subclass of viruses, where viruses are self-replicating programs and worms specifically initialize interpretation of their replicas. Many properties of viruses also apply to worms given this definition. The document summarizes results, draws conclusions, and proposes areas for further research.
A study of detecting computer viruses in real infected files in the n-gram re...UltraUploader
This document discusses detecting computer viruses in real-infected executable files using machine learning methods and n-gram representations. It created three datasets: benign files, virus loader files, and real infected executable files. Experiments showed that while machine learning methods can detect viruses in small virus loader files, detecting viruses is nearly impossible in real infected executable files when represented as n-grams due to the high dimensionality and low information content of the n-gram vectors. The document explores this limitation from an information theoretic perspective and through classification experiments.
This document presents an elementary and unified approach to program correctness through the algorithmic language DHL. It aims to unify Hehner's recursive predicative programming theory with Dijkstra's iterative style without higher-order logic. The document defines basic concepts of Hehner's predicative programming theory, special specification notations, and refinements. It also outlines an algorithmic scheme for Dijkstra's guarded commands and definitions for user-defined functions and implemented expressions in a programming language.
This document discusses two theoretical results about computer viruses:
1) Cohen's 1987 result that no algorithm can perfectly detect all possible viruses.
2) The authors' new result that there are viruses that no algorithm can detect, even under a more liberal definition of detection. They provide an example of a polymorphic virus that is sufficiently varied such that any detection algorithm could be fooled by an instance of the virus.
Are current antivirus programs able to detect complex metamorphic malware an ...UltraUploader
This document presents research evaluating current antivirus programs' ability to detect complex metamorphic malware. The researchers designed a metamorphic engine to mutate malware code while preserving functionality. They applied this engine to the MyDoom worm and tested major antivirus products. Most products were unable to reliably detect the mutated MyDoom, demonstrating limitations in static detection techniques and the need for dynamic behavioral analysis to identify evolved malware variants.
This talk aims at introducing, through a very simple example, a way to represent data types in the λ-calculus, and thus, in functional programming languages, so that the structure of the data types itself becomes a parameter.
This very simple technical trick allows to reconsider programming as a way to express morphisms between models of a logical theory. As an application, it allows to realise a way to perform anonymous computations.
From a philosophical point of view, the presented approach shows how it is possible to conceive a real programming system where properties like correctness of programs can be proved, but data cannot be inspected, not even in principle.
This document presents an abstract theory of computer viruses. It begins with definitions of basic concepts like what constitutes a computer virus and different types of viruses. A computer virus is formally defined as a partial recursive function that maps programs to either infected programs, programs that perform their intended task, or programs that injure. Viruses are classified as benign, Epeian, disseminating, or malicious based on whether they are pathogenic, contagious, or both. Detecting viruses is proved to be computationally intractable. Isolation of computing environments is discussed as a potential protection strategy against viruses.
This document discusses programming languages like C, C++, Python, and Java by providing code examples that calculate the addition of two numbers in each language. For C, the code uses header files, variables, data types, and print statements. For C++, it is similar to C but uses cout instead of printf. Python code simply prints the sum of two variables. The Java code imports utilities, defines a class, creates objects, and uses methods to return the sum. In conclusion, it compares the basic differences between these languages like their origins, interpreted vs compiled nature, and object-oriented capabilities.
Asm based modelling of self-replicating programsUltraUploader
The document describes modeling self-replicating programs like computer viruses using Abstract State Machines (ASMs). It outlines modeling an operating system environment with modules, agents, and a user. A viral module is defined that copies itself to uninfected modules. The model was implemented in AsmL, with classes representing storage, operating system, and user. Executable files were modeled using an interface. The virus searches for uninfected files and modifies the file table to include itself when a file is infected.
The document discusses various topics related to analyzing algorithms, including:
i. Analysis of running time and using recurrence equations to predict how long recursive algorithms take on different input sizes.
ii. Iteration, induction, and recursion as fundamental concepts in data structures and algorithms. Recursive programs can sometimes be simpler than iterative programs.
iii. Proving properties of programs formally or informally, such as proving statements are true for each iteration of a loop or recursive call of a function. This is often done using induction.
This document is a thesis submitted by Iason Papapanagiotakis-Bousy to University College London for the degree of Master of Science in Information Security. The thesis defines external metamorphic obfuscation engines using term rewriting systems and analyzes the problem of learning the rewriting rules of such obfuscations given a finite set of malware samples. Specifically, it proves the impossibility of exactly learning the rules but provides an algorithm for approximating the rules under certain assumptions. The work aims to lay the foundations for further research on analyzing metamorphic malware obfuscations.
The document discusses the evolution of programming languages from machine language to high-level languages. It describes four common programming paradigms - procedural, object-oriented, functional, and declarative. It also discusses common concepts found in most procedural and object-oriented languages such as identifiers, data types, variables, and literals.
A cooperative immunization system for an untrusting internetUltraUploader
This document proposes a cooperative immunization system where nodes work together to defend against computer viruses and worms. It presents an algorithm called COVERAGE that has nodes share information about observed infection rates. Based on this shared information, each node probabilistically determines which viruses to respond to. Simulations show COVERAGE is more effective against viruses and more robust against malicious participants compared to existing approaches.
A method for detecting obfuscated calls in malicious binariesUltraUploader
This document presents a method to detect obfuscated calls in malicious binaries through static analysis. It uses abstract interpretation to model the stack and represents all potential abstract stacks as an abstract stack graph. Violations in the normal call-ret convention can be detected from this graph. The method is implemented in a prototype tool called DOC that detects eight types of obfuscations. It aims to improve malware analysis by removing common obfuscation techniques, but does not claim to detect all obfuscations as the problem is undecidable.
A note on cohen's formal model for computer virusesUltraUploader
The document discusses refinements to Fred Cohen's formal model of computer viruses using Turing machines. The authors propose using a universal Turing machine (UTM) as the model of a computer, with viruses defined as descriptions of Turing machines that cause other descriptions to be written to the UTM's tape. This increases clarity by providing counterparts for programs and operating systems. The authors also suggest viruses could modify existing program descriptions on the tape rather than just writing new ones. Under this modified model, computer viruses still have the full computational power of Turing machines and whether a string is a virus remains undecidable.
This document provides an introduction to computer viruses, including what they are, how they spread, and how to protect against them. It defines viruses and explains that they are programs that can damage computers. Viruses typically spread by opening infected files or sharing media. To protect against viruses, the document recommends installing anti-virus software and keeping it updated, being cautious of files from unknown sources, and regularly scanning your computer. It also provides information on free anti-virus software available through the university and instructions for what to do if your computer becomes infected.
1) The document provides an overview of a framework for deception that was developed to better understand and analyze deceptions.
2) The framework models deceptions involving individuals, computers, networks, and organizations. It was used to model select deceptions and assist in developing new ones.
3) Further work is needed to systematize the creation of defensive deceptions, including expanding the collection of deception materials, creating a database to support deception analysis and creation, and maintaining a team of experts to implement specific deceptions.
A plague of viruses biological, computer and marketingUltraUploader
1) The document analyzes how biological, computer, and marketing viruses spread through networks in similar ways.
2) It distinguishes between densely knit networks that promote quick virus spread within the group, and ramified networks that allow viruses to spread more widely between groups.
3) Biological, computer, and marketing viruses all spread rapidly in densely knit networks due to frequent contact and overlap between group members, increasing chances of exposure and re-exposure to viruses.
Bot software spreads, causes new worriesUltraUploader
Bot software infects millions of computers worldwide without the owners' knowledge and turns them into zombies that perform malicious tasks as part of a bot network. These bot networks, which can include thousands of infected computers, are used to spread viruses and worms, send spam emails, install spyware, and launch denial-of-service attacks. While initially just an automated way to spread malware, bot networks are now also used for criminal activities like identity theft due to their ability to stealthily command a large number of compromised computers. Security experts warn that the proliferation of bot networks poses serious risks and is very difficult to stop given their automation and scale.
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
A formal definition of computer worms and some related resultsUltraUploader
This document proposes a formal definition of computer worms and discusses their properties. It begins by reviewing existing formal definitions of computer viruses and their key properties. It then defines worms as a subclass of viruses, where viruses are self-replicating programs and worms specifically initialize interpretation of their replicas. Many properties of viruses also apply to worms given this definition. The document summarizes results, draws conclusions, and proposes areas for further research.
A study of detecting computer viruses in real infected files in the n-gram re...UltraUploader
This document discusses detecting computer viruses in real-infected executable files using machine learning methods and n-gram representations. It created three datasets: benign files, virus loader files, and real infected executable files. Experiments showed that while machine learning methods can detect viruses in small virus loader files, detecting viruses is nearly impossible in real infected executable files when represented as n-grams due to the high dimensionality and low information content of the n-gram vectors. The document explores this limitation from an information theoretic perspective and through classification experiments.
This document presents an elementary and unified approach to program correctness through the algorithmic language DHL. It aims to unify Hehner's recursive predicative programming theory with Dijkstra's iterative style without higher-order logic. The document defines basic concepts of Hehner's predicative programming theory, special specification notations, and refinements. It also outlines an algorithmic scheme for Dijkstra's guarded commands and definitions for user-defined functions and implemented expressions in a programming language.
This document discusses two theoretical results about computer viruses:
1) Cohen's 1987 result that no algorithm can perfectly detect all possible viruses.
2) The authors' new result that there are viruses that no algorithm can detect, even under a more liberal definition of detection. They provide an example of a polymorphic virus that is sufficiently varied such that any detection algorithm could be fooled by an instance of the virus.
Are current antivirus programs able to detect complex metamorphic malware an ...UltraUploader
This document presents research evaluating current antivirus programs' ability to detect complex metamorphic malware. The researchers designed a metamorphic engine to mutate malware code while preserving functionality. They applied this engine to the MyDoom worm and tested major antivirus products. Most products were unable to reliably detect the mutated MyDoom, demonstrating limitations in static detection techniques and the need for dynamic behavioral analysis to identify evolved malware variants.
This talk aims at introducing, through a very simple example, a way to represent data types in the λ-calculus, and thus, in functional programming languages, so that the structure of the data types itself becomes a parameter.
This very simple technical trick allows to reconsider programming as a way to express morphisms between models of a logical theory. As an application, it allows to realise a way to perform anonymous computations.
From a philosophical point of view, the presented approach shows how it is possible to conceive a real programming system where properties like correctness of programs can be proved, but data cannot be inspected, not even in principle.
This document presents an abstract theory of computer viruses. It begins with definitions of basic concepts like what constitutes a computer virus and different types of viruses. A computer virus is formally defined as a partial recursive function that maps programs to either infected programs, programs that perform their intended task, or programs that injure. Viruses are classified as benign, Epeian, disseminating, or malicious based on whether they are pathogenic, contagious, or both. Detecting viruses is proved to be computationally intractable. Isolation of computing environments is discussed as a potential protection strategy against viruses.
This document discusses programming languages like C, C++, Python, and Java by providing code examples that calculate the addition of two numbers in each language. For C, the code uses header files, variables, data types, and print statements. For C++, it is similar to C but uses cout instead of printf. Python code simply prints the sum of two variables. The Java code imports utilities, defines a class, creates objects, and uses methods to return the sum. In conclusion, it compares the basic differences between these languages like their origins, interpreted vs compiled nature, and object-oriented capabilities.
Asm based modelling of self-replicating programsUltraUploader
The document describes modeling self-replicating programs like computer viruses using Abstract State Machines (ASMs). It outlines modeling an operating system environment with modules, agents, and a user. A viral module is defined that copies itself to uninfected modules. The model was implemented in AsmL, with classes representing storage, operating system, and user. Executable files were modeled using an interface. The virus searches for uninfected files and modifies the file table to include itself when a file is infected.
The document discusses various topics related to analyzing algorithms, including:
i. Analysis of running time and using recurrence equations to predict how long recursive algorithms take on different input sizes.
ii. Iteration, induction, and recursion as fundamental concepts in data structures and algorithms. Recursive programs can sometimes be simpler than iterative programs.
iii. Proving properties of programs formally or informally, such as proving statements are true for each iteration of a loop or recursive call of a function. This is often done using induction.
This document is a thesis submitted by Iason Papapanagiotakis-Bousy to University College London for the degree of Master of Science in Information Security. The thesis defines external metamorphic obfuscation engines using term rewriting systems and analyzes the problem of learning the rewriting rules of such obfuscations given a finite set of malware samples. Specifically, it proves the impossibility of exactly learning the rules but provides an algorithm for approximating the rules under certain assumptions. The work aims to lay the foundations for further research on analyzing metamorphic malware obfuscations.
The document discusses the evolution of programming languages from machine language to high-level languages. It describes four common programming paradigms - procedural, object-oriented, functional, and declarative. It also discusses common concepts found in most procedural and object-oriented languages such as identifiers, data types, variables, and literals.
International Journal of Computational Engineering Research (IJCER)ijceronline
International Journal of Computational Engineering Research(IJCER) is an intentional online Journal in English monthly publishing journal. This Journal publish original research work that contributes significantly to further the scientific knowledge in engineering and Technology.
Modeling and Threshold Sensitivity Analysis of Computer Virus EpidemicIOSR Journals
This document presents a mathematical model for analyzing the spread of computer viruses through a network. It modifies an existing epidemic model by incorporating a range of parameters rather than constant values. The model classifies computers into four groups: susceptible, exposed, infected, and immunized. It uses differential equations to model how the population in each group changes over time and analyzes the epidemic threshold. The document estimates parameter values based on studies of real computer viruses. It aims to help understand virus spreading and determine measures to control viral epidemics.
This document presents a mathematical model for analyzing the spread of computer viruses through a network. It modifies an existing epidemic model by incorporating a range of parameters rather than constant values. The model classifies computers into four groups: susceptible, exposed, infected, and immunized. It uses differential equations to model how the population in each group changes over time and analyzes the epidemic threshold. The document estimates parameter values based on studies of real computer viruses. It aims to help understand virus spreading and determine measures to control viral epidemics.
This document proposes a general, formal definition of malware as a single sentence in modal logic. It defines malware as software that causes incorrectness in other software. It also derives formal definitions for benign software (benware), anti-malware, and medical software for affected systems (medware) based on this definition of malware. The document argues that its definition of malware is abstract and independent of specific malware manifestations, making it generally applicable.
This document discusses programming languages and paradigms. It begins by describing the evolution of programming languages from machine language to high-level languages. It then discusses four programming paradigms - procedural, object-oriented, functional, and declarative. For each paradigm, it provides examples of languages that use that paradigm and describes key concepts like objects, classes, inheritance, and polymorphism. It concludes by describing common concepts found in many procedural and object-oriented languages like variables, data types, expressions, statements, and subprograms.
CORCON2014: Does programming really need data structures?Marco Benini
This talk tries to suggest how computer programming can be conceptually simplified by using abstract mathematics, in particular categorical semantics, so to achieve the 'correctness by construction' paradigm paying no price in term of efficiency.
Also, it introduces an alternative point of view on what is a program and how to conceive data structures, namely as computable morphisms between models of a logical theory.
This document compares two techniques for extracting programs from classical proofs: Berger-Buchholz-Schwichtenberg refined interpretation (BBS) and Godel's functional interpretation (FI). BBS can directly handle some but not all classical proofs, while FI can directly handle all proofs after a preprocessing step. The document analyzes the performance of BBS and FI on extracting a program to prove that two functions cannot be the identity. Both techniques find an unexpectedly clever solution, but FI provides more information in its extracted program.
Algebraic specification of computer viruses and their environmentsUltraUploader
This document discusses formal specifications of computer viruses using algebraic approaches. It introduces Abstract State Machines (ASMs) and OBJ to model computer viruses at different levels of abstraction. ASMs are used to develop models of abstract and specific virus types, along with an executable specification in AsmL. OBJ is used to specify viruses in an ad hoc programming language and detect metamorphic computer viruses. The formal specifications provide theoretical and experimental frameworks to analyze computer virus behaviors and environments.
A Systematic Approach To Probabilistic Pointer AnalysisMonica Franklin
This document presents a formal framework for probabilistic pointer analysis of probabilistic programs. It describes constructing a discrete-time Markov chain representing the concrete semantics of a probabilistic While program with static pointers by composing the probabilistic control flow and data updates using a tensor product. It then applies probabilistic abstract interpretation to obtain an abstract semantics with drastically reduced size. The analysis systematically derives probabilistic pointer information like points-to matrices and tensors, providing an alternative to experimental profiling approaches.
Similar to A classification of viruses through recursion theorems (20)
This document is the manual for PHP, the PHP Documentation Group's copyright from 1997 to 2002. It contains information about installing and configuring PHP on various operating systems like Unix, Linux, Windows, etc. It also covers PHP syntax, functions, classes, and other features. The manual is distributed under the GNU General Public License and parts of it are also distributed under the Open Publication License. It was translated into Italian with contributions from multiple people.
Broadband network virus detection system based on bypass monitorUltraUploader
The document describes a Broadband Network Virus Detection System (VDS) based on bypass monitoring that can detect viruses on high-speed networks. The VDS uses four detection engines to analyze network traffic for viruses based on binary content, URLs, emails, and scripts. It accurately logs statistical information on detected viruses like name, source/target IPs, and spread frequency. The VDS mirrors network traffic to a detection engine in real-time without needing to reassemble packets into files. This allows it to efficiently detect viruses directly in network packets or data streams on gigabit-speed networks.
This document discusses botnets and their applications. It begins with an overview of botnets, how they are controlled through command and control servers, and how rootkits can help conceal botnet activity. It then explores how botnets can be used for spam, phishing, click fraud, identity theft, and distributed denial-of-service attacks. Detection and mitigation techniques are also summarized, including network intrusion detection, honeynets, DNS monitoring, and modeling botnet propagation across timezones. Recent botnets like AgoBot, PhatBot, and Bobax are also examined in the context of spam distribution. Open research questions around botnet membership detection, click fraud detection, and phishing detection are presented.
Blended attacks exploits, vulnerabilities and buffer overflow techniques in c...UltraUploader
The document discusses blended threats that combine exploits and vulnerabilities with computer viruses. It begins with definitions of blended attacks and buffer overflows. It then describes three generations of buffer overflow techniques as well as other vulnerabilities exploited by blended threats, such as URL encoding and MIME header parsing. The document also discusses past threats like the Morris worm and CodeRed that blended exploits with viruses, and techniques used to combat future blended threats through defense in depth.
Win32/Blaster was a worm that exploited a vulnerability in Windows RPC to infect systems running Windows 2000 and Windows XP. It installed itself to automatically run on startup and then attempted to infect other systems on the local network and randomly selected IP addresses. The infection process involved exploiting the RPC vulnerability to execute a remote shell, downloading the worm binary, and executing it. It also launched a SYN flooding DDoS attack against Windows Update sites each month after the 16th. The worm spread quickly after the vulnerability was disclosed and highlighted the increasing automation and harm of worms.
Bird binary interpretation using runtime disassemblyUltraUploader
The document describes BIRD (Binary Interpretation using Runtime Disassembly), a binary analysis and instrumentation infrastructure for the Windows/x86 platform. BIRD combines static and dynamic disassembly to guarantee that every instruction in a binary is analyzed before execution. It provides services to convert binary code to assembly and insert instrumentation code without affecting program semantics. The prototype took 12 student months to develop and can successfully analyze applications like Microsoft Office, Internet Explorer, and IIS with low overhead of below 4%.
Biologically inspired defenses against computer virusesUltraUploader
This document discusses two biologically inspired approaches to computer virus detection and removal: a neural network virus detector that learns to identify infected and uninfected programs, and a computer immune system that can automatically identify, analyze, and remove new viruses from a system. The neural network technique has been incorporated into an IBM commercial antivirus product, while the computer immune system is still in prototype form. Both aim to replace human analysis of viruses to allow faster response times needed to address increasing rates of new virus creation and spread.
1. The document discusses biological viruses and computer viruses, providing background on how biological viruses work by hijacking cellular mechanisms of DNA replication, transcription and translation. It defines a computer virus as a piece of code with self-replicating ability that relies on other programs to exist, similar to biological viruses. 2. Computer viruses can cause damage by infecting programs which then infect other programs, potentially spreading like an epidemic across connected computers. 3. The document argues that a better understanding of biological and computer mechanisms can help improve defenses against viruses.
Biological aspects of computer virologyUltraUploader
This document discusses biological aspects of computer viruses and how factors that influence the spread of biological pathogens can also affect the propagation of computer malware. It analyzes three major factors that influence the spread of a computer worm: the infection propagator, which examines characteristics of exploited vulnerabilities like prevalence and age; the target locator, which focuses on how worms find new targets; and the worm's virulence, which looks at aspects that increase its infectiousness. The document suggests studying computer virus propagation through the lens of epidemiology models used for infectious diseases.
Biological models of security for virus propagation in computer networksUltraUploader
This document discusses how biological models of disease propagation and defense mechanisms in living organisms can inspire new approaches to computer network security and virus detection. Specifically, it describes how genetic regulatory networks that turn off harmful genes, protein interaction networks that model cellular processes, and epidemiological models of disease spread can provide models for automatically detecting and containing computer viruses without relying solely on pre-defined virus signatures. The authors propose several new security models drawing on these biological analogies, such as using surrogate code to maintain system functionality when parts are shut off, modeling network interactions to determine how viruses propagate, and evolving network services in real-time to reconstitute functionality after attacks.
This document summarizes a research paper about binary obfuscation techniques that aim to make reverse engineering of software more difficult. The paper proposes replacing control transfer instructions like jumps and calls with signals (traps) that are handled by signal handling code to perform the control transfer. It also inserts dummy control transfers and junk instructions after traps to confuse disassemblers. Experimental results show this obfuscation causes disassemblers to miss 30-80% of instructions and make mistakes on over half of control flow edges, while increasing execution time.
Beyond layers and peripheral antivirus securityUltraUploader
This white paper from Trend Micro discusses strategies for effective antivirus security beyond just protecting desktops. It argues that while desktop protection is still important, viruses often spread faster than antivirus updates can be deployed to endpoints. It therefore recommends taking additional measures across the network like stopping viruses at email/file servers, firewalls, and through education. The paper provides an overview of virus impacts and outlines Trend Micro's solutions that can block new threats before pattern updates and help repair damage.
Viruses exist in a liminal state between living and non-living, integrating themselves into host systems and hijacking their mechanisms to replicate. The author discusses the emergence and proliferation of various viral strains throughout history, from early microbial viruses to more recent digital and cultural viruses. It was not until 1980 that scientists began to recognize computer, retro, and cultural viruses as interconnected elements of a singular viral network, rewriting host codes across domains. However, the author argues that a broader retroviral activity had been operating for much longer, imperceptibly reprogramming biological and cultural systems.
A classification of viruses through recursion theorems
1. A Classification of Viruses through Recursion
Theorems
Guillaume Bonfante, Matthieu Kaczmarek and Jean-Yves Marion
Guillaume.Bonfante@loria.fr, Matthieu.Kaczmarek@loria.fr and
Jean-Yves.Marion@loria.fr
Nancy-Universit´e - Loria - INPL - Ecole Nationale Sup´erieure des Mines de Nancy
B.P. 239, 54506 Vandœuvre-l`es-Nancy C´edex, France
Abstract. We study computer virology from an abstract point of view.
Viruses and worms are self-replicating programs, whose constructions are
essentially based on Kleene’s second recursion theorem. We show that
we can classify viruses as solutions of fixed point equations which are
obtained from different versions of Kleene’s second recursion theorem.
This lead us to consider four classes of viruses which various polymor-
phic features. We propose to use virus distribution in order to deal with
mutations.
Topics covered. Computability theoretic aspects of programs, com-
puter virology.
Keywords. Computer viruses, polymorphism, propagation, recursion
theorem, iteration theorem.
1 Theoretical Computer Virology
An important information security breach is computer virus infections. Follow-
ing Filiol’s book [9], we do think that theoretical studies should help to design
new defenses against computer viruses. The objective of this paper is to pursue
a theoretical study of computer viruses initiated in [4]. Since viruses are essen-
tially self-replicating programs, we see that virus programming methods are an
attempt to answer to von Neumann’s question [22].
Can an automaton be constructed, i.e., assembled and built from appro-
priately “raw material”, by an other automaton? [. . . ] Can the construc-
tion of automata by automata progress from simpler types to increasingly
complicated types?
Abstract computer virology was initiated in the 80’s by the seminal works of
Cohen and Adleman [7]. The latter coined the term virus. Cohen defined viruses
with respect to Turing Machines [8]. Later [1], Adleman took a more abstract
point of view in order to have a definition independent from any particular
computational model. Then, only a few theoretical studies followed those seminal
works. Chess and White refined the mutation model of Cohen in [6]. Zuo and
Zhou formalized polymorphism from Adleman’s work [23] and they analyzed the
time complexity of viruses [24].
2. Recently, we tried [3, 4] to formalize inside computability the notion of viruses.
This formalization captures previous definitions that we have mentioned above.
We also characterized two kinds of viruses, blueprint and smith viruses, and we
proved constructively their existence. This work proposes to go further, introduc-
ing a notion of distribution to take into account polymorphism or metamorphism.
We define four kinds of viruses:
1. A blueprint virus is a virus, which reproduces by just duplicating its code.
2. An evolving blueprint virus is a virus, which can mutate when it duplicates by
modifying its code. Evolving blueprint viruses are generated by a disbution
engine.
3. A smith virus is a blueprint virus which can use its propagation function
directly to reproduce.
4. Lastly, we present Smith distribution. A virus generating by a Smith distri-
bution can mutate its code like evolving blueprint viruses, but also mutate
its propagation function.
We show that each category is closely linked to a corresponding form of the
recursion theorem, given a rational taxonomy of viruses. So recursion theorems
play a key role in constructions of viruses, which is worth to mention. Indeed,
and despite the works [11, 12], recursion theorems are used essentially to prove
“negative” results such as the constructions of undecidable or inseparable sets,
see [19] for a general reference, or such as Blum’s speed-up theorem [2].
Lastly, we switch to a simple programming language named WHILE+
to illus-
trate the fact that our constructions lives in the programming world. Actually,
we follow the ideas of the experimentation of the iteration theorem and of the re-
cursion theorem, which are developed in [11, 12] by Jones et al. and very recently
by Moss in [16].
2 A Virus Definition
2.1 The WHILE+
language
The domain of computation D is the set of binary trees generated from an atom
nil and a pairing mechanism , . The syntax of WHILE+
is given by the following
grammar from a set of variables V:
Expressions: E → V | cons(E1, E2) | hd(E) | tl(E) |
execn(E0, E1, . . . , En) | specn(E0, E1 . . . , En) with n ≥ 1
Commands: C → V := E | C1; C2 | while(E){C} | if(E){C1}else{C2}
A WHILE+
program p is defined as follows p(V1, . . . , Vn){C; return E; }. A pro-
gram p computes a function p from Dn
to D.
We suppose that we are given a concrete syntax of WHILE+
, that is an encod-
ing of programs by binary trees of D. From now on, when the context is clear,
3. we do not make any distinction between a program and its concrete syntax. And
we make no distinction between programs and data.
For convenience, we have a built-in self-interpreter execn of WHILE+
programs
which satisfies :
execn (p, x1, . . . xn) = p (x1, . . . xn)
In the above equation, the notation p means the concrete syntax of the program
p.
We also use a built-in specializer specn which satisfies:
specm (p, x1, . . . xm) (xm+1, . . . , xn) = p (x1, . . . xn)
We may omit the subscpript n which indicates the number of arguments of an
interpreter or a specializer.
The use of an interpreter and of a specializer is justified by Jones who showed
in [13] that programs with these constructions can be simulated up to a linear
constant time by programs without them.
If f and g designate the same function, we write f ≈ g. A function f is
semi-computable if there is a program p such that p ≈ f, moreover, if f is
total, we say that f is computable.
2.2 A Computer Virus representation
We propose the following scenario in order to represent viruses. When a program
p is executed within an environment x, the evaluation of p (x), if it halts, is a
new environment. This process may be then repeated by replacing x by the new
computed environment. The entry x is thought of as a finite sequence x1, . . . , xn
which represents files and accessible parameters.
Typically, a program copy which duplicates a file satisfies copy (p, x) =
p, p, x . The original environment is p, x . After the evaluation of copy, we
have the environment p, p, x in which p is copied.
Next consider an example of parasitic virus. Parasitic viruses insert them-
selves into existing files. When an infected host is executed, first the virus in-
fects a new host, then it gives the control back to the original host. For more
details we refer to the virus writing manual of Ludwig [15]. A parasistic virus
is a program v which works on an environment p, q, x . The infected form
of p is B(v, p) where B is a propagation function which specifies how a virus
contaminates a file. Here, the propagation function B can be for example a
program code concatenation function. So, we have a first “generic” equation:
v (p, q, x ) = B(v, p) ( q, x ). Following the description of a parasitic virus,
v computes the infected form B(v, q) and then executes p. This means that the
following equation also holds: v (q, x) = p (B(v, q), x). A parasistic virus is
defined by the two above equations.
More generally, the construction of viruses lies in the resolution of fixed point
equations such as the ones above in which v and B are unknowns. The existence
of solutions of such systems is provided by Kleene’s recursion theorem. From
this observation and following [4], we propose the following virus representation:
4. Definition 1 (Computer Virus). Let B be a computable function. A virus
w.r.t B is a program v such that ∀p, x : v (p, x) = B(v, p) (x). Then, B is
named a propagation function for the virus v.
This definition includes the ones of Adleman and Cohen, and it handles
more propagation and duplication features than the other models [4]. However,
it is worth to notice that the existence of a virus v w.r.t a given propagation
function B is constructive. This is a key difference since it allows to build viruses
by applying fixed point constructions given by proofs of recursion theorems.
A motivation behind the choice of WHILE+
programming language is the fact
that there is no self-referential operator, like $0 in bash, which returns a copy
of the program concrete syntax. Indeed, we present below virus construction
without this feature. This shows that even if there is no self-referential operator,
there are still viruses. Now, viruses should be more efficient if such operators are
present. Of course, a seminal paper on this subject is [21].
3 Blueprint Duplication
3.1 Blueprint distribution engine
From [4], a blueprint virus for a function g is a program v which computes g
using its own code v and its environment p, x. The function g can be seen as
the virus specification function. A blueprint virus for a function g is a program
v which satisfies
v is a virus w.r.t some propagation function
∀p, x : v (p, x) = g(v, p, x)
(1)
Note that a blueprint virus does not use any code of its propagation function,
unlike smith viruses that we shall see shortly. The solutions of this system are
provided by Kleene’s recursion theorem.
Theorem 2 (Kleene’s Recursion Theorem [14]). Let f be a semi-computable
function. There is a program e such that e (x) = f(e, x).
Definition 3 (Distribution engine). A distribution engine is a program dv
such that for every virus specification program g, dv (g) is a virus w.r.t a fixed
and given a propagation function B.
Theorem 4. There is a distribution engine dv such that for any program g,
dv (g) is a blueprint virus for g .
Proof. We use a construction for the recursion theorem due to Smullyan [20].
It provides a fixpoint which can be directly used as a distribution engine. We
define dv thanks to the concrete syntax of dg as follows:
dg (z,u,y,x){
r := exec(z,spec(u,z,u),y,x);
return r;
}
dv (g){
r := spec(dg,g,dg);
return r;
}
5. We observe that dv (g) (p, x) = g ( dv (g), p, x). Moreover, dv (g) is clearly
a virus w.r.t to the propagation function spec .
We consider a typical example of blueprint duplication which looks like the
real life virus ILoveYou. This program arrives as an e-mail attachment. Opening
the attachment triggers the attack. The infection first scans the memory for
passwords and sends them back to the attacker, then the virus self-duplicates
sending itself at every address of the local address book.
To represent this scenario we need to deal with mailing processes. A mail
m = @, y is an association of an address @ and data y. Then, we consider that
the environment contains a mailbox mb = m1, . . . , mn which is a sequence of
mails. To send a mail m, we add it to the mailbox, that is mb := cons(m, mb).
We suppose that an external process deals with mailing.
In the following, x denotes the local file structure, and @bk = @1, . . . , @n
denotes the local address book, a sequence of addresses. We finally introduce a
WHILE+
program find which searches its input for passwords and which returns
them as its evaluation. The virus behavior for the scenario of ILoveYou is given
by the following program.
g (v,mb, @bk, x ) {
pass := exec(find,x);
mb := cons(cons(‘‘badguy@dom.com’’,pass),mb);
y := @bk;
while (y) {
mb := cons(cons(hd(y),v),mb);
y := tl(y);
}
return mb;
}
From the virus specification program g, we generate the blueprint virus
dv (g).
3.2 Distributions of evolving blueprint viruses
An evolving blueprint virus is a virus, which can mutate but the propagation
function remains the same. Here, we describe a distribution engine for which the
specification of a virus can use the code of its own distribution engine. Thus,
we can generate evolved copies of a virus. Formally, given a virus specification
function g, a distribution of evolving blueprint viruses is a program dv satisfying:
dv is a distribution engine
∀i, p, x : dv (i) (p, x) = g(dv, i, p, x)
(2)
The existence of blueprint distributions corresponds to a stronger form of the
recursion theorem, which was first proved by Case [5].
6. Theorem 5 (Explicit recursion [4]). Let f be a semi-computable function.
There exists a computable function e such that ∀x, y : e(x) (y) = f(e, x, y)
where e computes e.
Definition 6 (Distribution engine builder). A builder of distribution engine
is a program cv such that for every virus specification program g, cv (g) is a
distribution engine.
Theorem 7. There is a builder of distribution engine cv such that for any pro-
gram g, cv (g) is a distribution of evolving blueprint viruses for some fixed
propagation function B.
Proof. We define
edg (z,t,i,y,x) {
e := spec(spec3,t,z,t);
return exec(z,e,i,y,x);
}
cv (g){
r := spec(spec3,edg,g,edg);
return r;
}
We observe that for any i, cv (g) (i) (p, x) = g( cv (g), i, p, x). Moreover,
cv (g) (i) is a virus w.r.t spec .
To illustrate Theorem 7, we come back to the scenario of the virus ILoveYou,
and we add to it mutation abilities. We introduce a WHILE+
program poly which
is a polymorphic engine. This program takes a program p and a key i, and it
rewrites p according to i, conserving the semantics of p. That is, poly satisfies
poly (p, i) is one-one on i and poly (p, i) ≈ p .
We build a virus which self-duplicates sending mutated forms of itself. With
the notations of the Sect. 3.1, we consider a behavior described by the following
WHILE+
program.
g (dv,i,mb, @bk, x ) {
pass := exec(find,x);
mb := cons(cons(‘‘badguy@dom.com’’,pass),mb);
next key := cons(nil,i)
virus := exec(dv,next key);
mutation := exec(poly,virus,i);
y := @bk;
while (y) {
mb := cons(cons(hd(y),mutation),mb);
y := tl(y);
}
return mb;
}
We apply Theorem 7 to transform this program into a code of the correspond-
ing distribution engine. So, cv (g) (i) is a copy indexed by i of the evolving
blueprint virus specified by g.
7. 4 Smith Reproduction
4.1 Smith Viruses
We define a smith virus as two programs v, B which is defined w.r.t a virus
specification function g according to the following system.
v is a virus w.r.t B
∀p, x : v (p, x) = g(B, v, p, x)
The class of smith viruses is obtained by the double recursion theorem due to
Smullyan [18] as a solution to the above equations.
Theorem 8 (Double Recursion Theorem [18]). Let f1 and f2 be two semi-
computable functions. There are two programs e1 and e2 such that
e1 (x) = f1(e1, e2, x) e2 (x) = f2(e1, e2, x)
We extend the previous definition of engine distribution to propagation en-
gine as follows.
Definition 9 (Virus Distribution). A virus distribution is a pair (dv, dB)
of programs such that for every virus specification g, dv (g) is a virus w.r.t
dB (g) . As previously, dv is named a distribution engine and dB is named
a propagation engine.
Theorem 10. There is a virus distribution (dv, dB) such that for any program
g, dv (g), dB (g) is a smith virus for g .
Proof. We define the following programs with a double fixed point.
dg1 (z1,z2,y1,y2,y,x) {
e1 := spec(y1,z1,z2,y1,y2);
e2 := spec(y2,z1,z2,y1,y2);
return exec(z1,e1,e2,y,x);
}
dg2 (z1,z2,y1,y2,y,x) {
e1 := spec(y1,z1,z2,y1,y2);
e2 := spec(y2,z1,z2,y1,y2);
return exec(z2,e1,e2,y,x);
}
and
pispec (g,B,v,y,p) {
r := spec(g,B,v,p);
return r;
}
Then, let dv and dB be the following programs.
dv (g){
r := spec(pispec,g);
return spec(dg2,r,g,dg1,dg2);
}
dB (g){
r := spec(pispec,g);
return spec(dg1,r,g,dg1,dg2);
}
8. We observe that for any program g
dv (g) (p, x) = dB (g) ( dv (g), p) (x) = g( dB (g), dv (g), p, x)
We present how to build the parasitic virus of Sect. 2. The virus specification
function g of the virus is the following.
g (B,v,p, q, x ) {
infected form := exec(B,v,p);
return exec(p,infected form,x);
}
First, it infects a new host q with the virus v using the propagation procedure
B. Then, it executes the original host p. This corresponds to the behavior of a
parasitic virus. We obtain a smith virus using the builder of Theorem 10.
4.2 Smith Distributions
Smith distributions generate viruses which are able to mutate their code and
their propagation mechanism. A smith distribution (dv, dB) w.r.t the virus spec-
ification program g satisfies
(dv, dB) is a virus distribution
∀i, p, x : dv (i) (p, x) = g(dB, dv, i, p, x)
The class of Smith distributions is defined as the solutions of this double
recursion theorem.
Theorem 11 (Double explicit Recursion). Let f1 and f2 be two semi-
computable functions. There are two computable functions e1 and e2 such that
for all x and y
e1(x) (y) = f1(e1, e2, x, y) e2(x) (y) = f2(e1, e2, x, y)
where e1 and e2 respectively compute e1 and e2.
Definition 12 (Distribution builder). A Distribution builder is a pair of pro-
grams cv, cB such that for every virus specification program g, ( cv (g), cB (g))
is a virus distribution.
Theorem 13. There is a distribution builder (cv, cB) such that for any program
g, ( cv (g), cB (g)) is a smith distribution for g .
Proof. We define the following programs:
9. edg1 (z1,z2,t1,t2,i,y,x) {
e1 := spec(spec5,t1,z1,z2,t1,t2);
e2 := spec(spec5,t2,z1,z2,t1,t2);
return exec(z1,e1,e2,i,y,x);
}
edg2 (z1,z2,t1,t2,i,y,x) {
e1 := spec(spec5,t1,z1,z2,t1,t2);
e2 := spec(spec5,t2,z1,z2,t1,t2);
return exec(z2,e1,e2,i,y,x);
}
and
pispec (g,db,dv,i,y,p) {
r := spec(g,db,dv,i,p);
return r;
}
Let cv and cB be the following programs.
cv (g){
r := spec(pispec ,g)
return spec(spec5,edg2,r,g,edg1,edg2);
}
cB (g){
r := spec(pispec ,g)
return spec(spec5,edg1,r,g,edg1,edg2);
}
We observe that for any program g
cv (g) (i) (p, x) = cB (g) (i) ( cv (g) (i), p) (x)
= g( cB (g), cv (g), i, p, x)
We enhance the virus of Sect. 4.1, adding some polymorphic abilities. Any
virus of generation i infects a new host q with a virus of next generation using
the propagation procedure of generation i. Then it gives the control back to the
original host p. This behavior is illustrated by the following program.
g (db,dv,i,p, q, x ) {
B := exec(db,i);
v := exec(dv,cons(i,nil));
mutation := exec(poly,v,i);
infected form := exec(B,mutation,q);
return exec(p,infected form,x);
}
Then, we obtain the smith distribution by the builder of Theorem 13.
References
1. L. Adleman. An abstract theory of computer viruses. In Advances in Cryptology
– CRYPTO’88, volume 403. Lecture Notes in Computer Science, 1988.
2. M. Blum. A machine-independent theory of the complexity of recursive functions.
Journal of the Association for Computing Machinery, 14(2):322–336, 1967.
3. G. Bonfante, M. Kaczmarek, and J.-Y. Marion. Toward an abstract computer
virology. In ICTAC, pages 579–593, 2005.
10. 4. G. Bonfante, M. Kaczmarek, and J.-Y. Marion. On abstract computer virology
from a recursion-theoretic perspective. Journal in Computer Virology, 1(3-4), 2006.
5. J. Case. Periodicity in generations of automata. Theory of Computing Systems,
8(1):15–32, 1974.
6. D. Chess and S. White. An undetectable computer virus. Proceedings of the 2000
Virus Bulletin Conference (VB2000), 2000.
7. F. Cohen. Computer Viruses. PhD thesis, University of Southern California,
January 1986.
8. F. Cohen. On the implications of computer viruses and methods of defense. Com-
puters and Security, 7:167–184, 1988.
9. E. Filiol. Computer Viruses: from Theory to Applications. Springer-Verlag, 2005.
10. E. Filiol. Malware pattern scanning schemes secure against black-box analysis.
Journal of Computer Virology, 2(1):35–50, 2006.
11. T. Hansen, T. Nikolajsen, J. Tr¨aff, and N. Jones. Experiments with implemen-
tations of two theoretical constructions. In Lecture Notes in Computer Science,
volume 363, pages 119–133. Springer Verlag, 1989.
12. N. Jones. Computer implementation and applications of kleene’s S-m-n and recur-
sive theorems. In Y. N. Moschovakis, editor, Lecture Notes in Mathematics, Logic
From Computer Science, pages 243–263. Springer Verlag, 1991.
13. N. Jones. Constant Time Factors Do Matter. MIT Press, Cambridge, MA, USA,
1997.
14. S. Kleene. Introduction to Metamathematics. Van Nostrand, 1952.
15. M. Ludwig. The Giant Black Book of Computer Viruses. American Eagle Publi-
cations, 1998.
16. L. Moss. Recursion theorems and self-replication via text register machine pro-
grams. In EATCS bulletin, 2006.
17. P. Odiffredi. Classical Recursion Theory. North-Holland, 1989.
18. H. Rogers. Theory of Recursive Functions and Effective Computability. McGraw
Hill, New York, 1967.
19. R. Smullyan. Recursion Theory for Metamathematics. Oxford University Press,
1993.
20. R. Smullyan. Diagonalization and Self-Reference. Oxford University Press, 1994.
21. K. Thompson. Reflections on trusting trust. Communications of the Association
for Computing Machinery, 27(8):761–763, 1984.
22. J. von Neumann. Theory of Self-Reproducing Automata. University of Illinois
Press, Urbana, Illinois, 1966. edited and completed by A.W.Burks.
23. Z. Zuo and M. Zhou. Some further theoretical results about computer viruses. The
Computer Journal, 47(6):627–633, 2004.
24. Z. Zuo, Q.-x. Zhu, and M.-t. Zhou. On the time complexity of computer viruses.
IEEE Transactions on information theory, 51(8):2962–2966, August 2005.